diff --git a/agenix/hosts/tanker/config.nix b/agenix/hosts/tanker/config.nix index 96cd51c3..5eeaa078 100644 --- a/agenix/hosts/tanker/config.nix +++ b/agenix/hosts/tanker/config.nix @@ -107,11 +107,6 @@ mautrix-signal-config = { file = ./mautrix-signal/config.age; - symlink = false; - path = "/var/lib/matrix-bridges/signal/config.yaml"; - mode = "640"; - owner = "1337"; - group = "1337"; }; signald-environment = { @@ -130,11 +125,6 @@ mautrix-whatsapp-config = { file = ./mautrix-whatsapp/config.age; - symlink = false; - path = "/var/lib/matrix-bridges/whatsapp/config.yaml"; - mode = "640"; - owner = "1337"; - group = "1337"; }; weewx-config = { diff --git a/agenix/hosts/tanker/mautrix-signal/config.age b/agenix/hosts/tanker/mautrix-signal/config.age index 43e272ea..4a1ae366 100644 Binary files a/agenix/hosts/tanker/mautrix-signal/config.age and b/agenix/hosts/tanker/mautrix-signal/config.age differ diff --git a/agenix/hosts/tanker/mautrix-whatsapp/config.age b/agenix/hosts/tanker/mautrix-whatsapp/config.age index 392bd75d..cff3194c 100644 Binary files a/agenix/hosts/tanker/mautrix-whatsapp/config.age and b/agenix/hosts/tanker/mautrix-whatsapp/config.age differ diff --git a/agenix/hosts/tanker/signald/environment.age b/agenix/hosts/tanker/signald/environment.age index ea99d381..bbba1590 100644 --- a/agenix/hosts/tanker/signald/environment.age +++ b/agenix/hosts/tanker/signald/environment.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 MtGp6g TjcF9u1gbYjURFImt7uh+O7hNw3E2pR6H/i8Xd90DkU -wdeuBiwP0BTzMeVx+i7+jpWFaAW+dMnsXakFenPad/E --> ssh-ed25519 iO8/4g V/BUJLff8IK0g5UFXqJ5ftK6Fs8zpheFr4ETzKQd5xs -0hzEB9qG6VX878t7tZzfjyH2BkgAhl+uDR4jX9chwgY --> g.G-grease X;7X` 3ecO{T|m -/2RKLQzMCznCQXYnltmy7YhoXzHRJ4oxdArYCfQzJEcWDwy465xgm8EMNdu0mNA+ -O15n2g ---- C896AcFfLEvwf3tcYqZP5dfPKFmE4oaaKH6KveEao6A -'{3*v䖋Ѷ4ޫ<;QC(b- `.gon˲< >:l0ԑ]T⵽ 2Δ*h%l*WA O(屄WRA0[_HC6` \ No newline at end of file +-> ssh-ed25519 MtGp6g /N1cHH7SmlpEdvKEcMzVflInTXChp+eWJFU2RoPWMUk +7nLndAtQ3DWXYmPvwq9tDPBiPLJMuDuCRtSXdFveSoo +-> ssh-ed25519 iO8/4g WSUXe/SRWLMN23PWyOM7qOCbXOFvTrzmTcq0zW/ABFs +NmQoYqT0x6t0WByQrIg+OAvP4VUU5tVydAHfVTZvPUE +-> eo6mwb;-grease :nS'C`f ?/iI) +oQ4Y4ksapQU8WwrdzObrSTiUiS37dk+c180046s7BqC6GX8iXFjR9kQSPb6tR9bl +Nhh/zHwzdGQmy7VekRL8ZdpbUeKd5D6X7w +--- aHWIb4WJ+O2kXUGFczOA6ngejy6jkMOmrFmcKLllq8s +*?DGL5Bf&AH;as%1h1rdO&q"D`CQ5xq2_[gDd'+g)6n/*,;lxS;R[c ( \ No newline at end of file diff --git a/container/matrix/default.nix b/container/matrix/default.nix deleted file mode 100644 index 7d1291cb..00000000 --- a/container/matrix/default.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, ... }: - -{ - virtualisation.oci-containers.containers = { - # https://gitlab.com/signald/signald - signald = { - image = "registry.gitlab.com/signald/signald:0.23.2"; - environmentFiles = [ config.age.secrets.signald-environment.path ]; - volumes = [ - "/var/lib/matrix-bridges/signald:/signald" - ]; - }; - - # https://mau.dev/mautrix/signal - matrix-signal = { - image = "dock.mau.dev/mautrix/signal:v0.4.3"; - dependsOn = [ "signald" ]; - ports = [ "127.0.0.1:29328:29328" ]; - volumes = [ - "/var/lib/matrix-bridges/signal:/data" - "/var/lib/matrix-bridges/signald:/signald" - ]; - }; - - # https://mau.dev/mautrix/whatsapp - matrix-whatsapp = { - image = "dock.mau.dev/mautrix/whatsapp:v0.8.6"; - ports = [ "127.0.0.1:29318:29318" ]; - volumes = [ - "/var/lib/matrix-bridges/whatsapp:/data" - ]; - }; - }; - - systemd.services = { - podman-signald.restartTriggers = [ - "${config.age.secrets.signald-environment.file}" - ]; - - podman-matrix-signal.restartTriggers = [ - "${config.age.secrets.mautrix-signal-config.file}" - ]; - - podman-matrix-whatsapp.restartTriggers = [ - "${config.age.secrets.mautrix-whatsapp-config.file}" - ]; - }; - - systemd.tmpfiles.rules = [ - "d /var/lib/matrix-bridges/signald 0775 0 0" - "d /var/lib/matrix-bridges/signal 0775 1337 1337" - "d /var/lib/matrix-bridges/whatsapp 0775 1337 1337" - ]; -} diff --git a/flake.lock b/flake.lock index 86caa310..f27b3066 100644 --- a/flake.lock +++ b/flake.lock @@ -415,11 +415,11 @@ ] }, "locked": { - "lastModified": 1690846843, - "narHash": "sha256-sfguzocpi42+juoiUNLMtXws33DeEZkbEVTLtx/LKC8=", + "lastModified": 1690887397, + "narHash": "sha256-ckasuN7MgAiDgLkUo1IdEq8FEKymcUWKzmY6/R9KOOo=", "owner": "nix-community", "repo": "home-manager", - "rev": "310c0063b2558e94ad8bc3c1f2ddead82e0872cd", + "rev": "4542db605602898fe0c431e19f01e1af2865dae8", "type": "github" }, "original": { @@ -514,11 +514,11 @@ }, "nixos-stable": { "locked": { - "lastModified": 1690726002, - "narHash": "sha256-cACz6jCJZtsZHGCJAN4vMobxzH5s6FCOTZHMrh/Hu0M=", + "lastModified": 1690835256, + "narHash": "sha256-SZy/Nvwbf6CorhEsvmjqgjoYNLnRfaKVZMfSnpUDPnc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "391e8db1f06c3f74c2d313a73135515023af3993", + "rev": "b7cde1c47b7316f6138a2b36ef6627f3d16d645c", "type": "github" }, "original": { @@ -530,11 +530,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690833316, - "narHash": "sha256-+YU+/pTJmVKNW12R07/SJiTn7PQk90xwCI4D2PfLRPs=", + "lastModified": 1690860117, + "narHash": "sha256-srkCfjMlg777HxDVMfhkIFgRhhtuZjIOIyR2ejLYK+Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9418167277f665de6f4a29f414d438cf39c55b9e", + "rev": "96d403ee2479f2070050353b94808209f1352edb", "type": "github" }, "original": { diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix index 3d83b369..995e1ea9 100644 --- a/home/programs/nvim/plugins.nix +++ b/home/programs/nvim/plugins.nix @@ -308,12 +308,12 @@ in }; comment-nvim = buildVimPluginFrom2Nix { pname = "comment.nvim"; - version = "2023-06-12"; + version = "2023-08-01"; src = fetchFromGitHub { owner = "numtostr"; repo = "comment.nvim"; - rev = "176e85eeb63f1a5970d6b88f1725039d85ca0055"; - sha256 = "0y3zhv82hi8avxhmp1c9h0r17kfclwxphzyk7701f6wjky375ksw"; + rev = "bacbed6346d1c5a095897f3fde3451a9a08e7f7d"; + sha256 = "19s2kmflga4v0dqwjb79imbv4aa4hcck340159rbzdb8a3bfhrji"; fetchSubmodules = false; }; }; diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix index b066905b..e9bb1651 100644 --- a/system/hosts/tanker.nix +++ b/system/hosts/tanker.nix @@ -49,13 +49,12 @@ in ../nixos/rimgo.nix - ../nixos/synapse.nix + ../nixos/matrix ../nixos/tailscale.nix ../nixos/websites-tanker.nix - ../../container/matrix ../../container/proxitok ../../container/weewx ]; diff --git a/system/nixos/matrix/default.nix b/system/nixos/matrix/default.nix new file mode 100644 index 00000000..c1692a41 --- /dev/null +++ b/system/nixos/matrix/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./synapse.nix + ./mautrix-whatsapp.nix + ./mautrix-signal.nix + ]; +} diff --git a/system/nixos/matrix/mautrix-signal.nix b/system/nixos/matrix/mautrix-signal.nix new file mode 100644 index 00000000..7a2a9e38 --- /dev/null +++ b/system/nixos/matrix/mautrix-signal.nix @@ -0,0 +1,39 @@ +{ pkgs, config, ... }: + +{ + services.signald.enable = true; + systemd.services.signald.serviceConfig.EnvironmentFile = [ + config.age.secrets.signald-environment.path + ]; + + systemd.services.mautrix-signal = { + description = "A Matrix-Signal puppeting bridge"; + wantedBy = [ "multi-user.target" ]; + requires = [ "matrix-synapse.service" "signald.service" ]; + after = [ "matrix-synapse.service" "signald.service" ]; + restartTriggers = [ "${config.age.secrets.mautrix-signal-config.file}" ]; + serviceConfig = { + User = config.services.signald.user; + Group = config.services.signald.group; + LoadCredential = [ "config:${config.age.secrets.mautrix-signal-config.path}" ]; + ExecStart = "${pkgs.mautrix-signal}/bin/mautrix-signal --config=%d/config --no-update"; + Restart = "on-failure"; + RestartSec = "5s"; + + StateDirectory = "mautrix-signal"; + RuntimeDirectory = "mautrix-signal"; + StateDirectoryMode = "0750"; + RuntimeDirectoryMode = "0750"; + + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateTmp = true; + }; + }; + + services.matrix-synapse.settings.app_service_config_files = [ + "/var/lib/matrix-synapse/bridges/registration-signal.yaml" + ]; +} diff --git a/system/nixos/matrix/mautrix-whatsapp.nix b/system/nixos/matrix/mautrix-whatsapp.nix new file mode 100644 index 00000000..7471e9ad --- /dev/null +++ b/system/nixos/matrix/mautrix-whatsapp.nix @@ -0,0 +1,30 @@ +{ pkgs, config, ... }: + +{ + systemd.services.mautrix-whatsapp = { + description = "Matrix <-> Whatsapp hybrid puppeting/relaybot bridge"; + wantedBy = [ "multi-user.target" ]; + requires = [ "matrix-synapse.service" ]; + after = [ "matrix-synapse.service" ]; + restartTriggers = [ "${config.age.secrets.mautrix-whatsapp-config.file}" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "mautrix-whatsapp"; + LoadCredential = [ "config:${config.age.secrets.mautrix-whatsapp-config.path}" ]; + ExecStart = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp --config=%d/config --no-update"; + Restart = "on-failure"; + RestartSec = "5s"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateTmp = true; + }; + }; + + services.matrix-synapse.settings.app_service_config_files = [ + "/var/lib/matrix-synapse/bridges/registration-whatsapp.yaml" + ]; +} diff --git a/system/nixos/synapse.nix b/system/nixos/matrix/synapse.nix similarity index 91% rename from system/nixos/synapse.nix rename to system/nixos/matrix/synapse.nix index 2952a853..b9dcd20d 100644 --- a/system/nixos/synapse.nix +++ b/system/nixos/matrix/synapse.nix @@ -15,7 +15,7 @@ in listeners = [ { - bind_addresses = [ "127.0.0.1" "10.88.0.1" ]; + bind_addresses = [ "127.0.0.1" ]; port = 8008; tls = false; type = "http"; @@ -81,11 +81,6 @@ in enable_metrics = false; report_stats = false; - app_service_config_files = [ - "/var/lib/matrix-bridges/signal/registration.yaml" - "/var/lib/matrix-bridges/whatsapp/registration.yaml" - ]; - experimental_features = { msc3202_device_masquerading = true; msc3202_transaction_extensions = true; @@ -107,9 +102,7 @@ in }; }; - systemd.services.matrix-synapse.after = [ "postgresql.service" "podman-wait-for-host-interface.service" ]; - - networking.firewall.interfaces."podman+".allowedTCPPorts = [ 8008 ]; + systemd.services.matrix-synapse.after = [ "postgresql.service" ]; services.nginx.virtualHosts."${fqdn}" = { quic = true;